I’m working on a rating stars plugin. That way you click on a button on an item/page and vote for that page.
Right now I’m using Google Recaptcha.
I tried it on another project on my only client but it was not receved well.
- I can’t see the details on all the images
- It’s not working well on my phone
- I want to fill in a form, not click alot of images
On that project I developed a very simple thing:
When clicking I’ve clicked the checkbox it fills in a hidden field with js, a simple math formula. It involves time and a custom set number. It also have a honeypot. It would probably protect against most of the bots but if someone want to spam just that site it might not be secure for an attacker.
On the server side of my rating plugin, an IP number can only be used once for one page. That’s a kind of protection as well.
The big question
If you needed to use this plugin, what kind of solution do you prefer? As a client, user and develper.
Maybe you have another better solution? I don’t like captchas at all and I don’t like filling in a color of the sky or the result of 10 + 5. From a user perspective I can live with a checkbox.
From a UX perspective I’ve always been a strong defendant of not having captchas at all. The user should not have to be the one “paying” for the problems we face with spam. I started writing down on paper how I would “secure” a plug-in for kudos which would face the same issues as yours. I was at the point where I thought that a “triple layer would do”:
- ip protection (blacklisting known ip adresses)
- setting a cookie to remember who already voted
And then at some point I went back to the drawing board and thought I would request users to sign up for an account before voting which is a hell of a lot more work for bots. But I’d probably lose a lot of ratings…
It’s hard to decide. On a big project I worked in in an agency, we outsourced the ratings and reviews to the market leader in that segment. They had compelling arguments backed by data to show that a user determined enough to write a review will go through the process of signing up most of the time. The problem you face though is that the positive reviewers tend to abandon the process faster than the angry reviewer. I could talk for hours about the subject and the epic conversations it led to between me, the client, and the third party.
setting a cookie to remember who already voted
I guess this protects against users who try to vote twice but not for bots? I already save the IP, but yes the user might change IP and use the same computer again.
we outsourced the ratings and reviews to the market leader in that segment.
Which is? I looked for online services but could not find any.
The problem you face though is that the positive reviewers tend to abandon the process faster than the angry reviewer.
I can imagine that. Let’s hide all votes lower than 3.
The third party is bazaarvoice and the client a big french tire manufacture (shouldn’t be too hard to guess which one)
You cannot start guessing how the “random” reviews displayed on a product page are picked… It’s all automated but there are a few line so code that help “pick” the right ones.
Back to your topic. No captcha. They’ll soon disappear. And I’m sure that the same way Google is going to penalize pop-ups tomorrow, they’ll penalize captchas soon!
No captcha. They’ll soon disappear.
You think so? The bots get smarter all the time?
And I’m sure that the same way Google is going to penalize pop-ups tomorrow, they’ll penalize captchas soon!
You are aware of that they are the author of Recaptcha?
Then they would not do what they teach. That would not be the first time.
Yes I’m fully aware they created recaptcha. But that doesn’t mean they won’t change their mind! They created the algorithm that led to people stuffing their meta keywords with tons of stuff to rank higher in results. They ended up ditching the keywords.
It’s only my opinion, and it’s only based on my personal gut feeling.
What I’m trying to say though is that any solutions you can find to avoid putting the burden of fighting spam on your side rather than on the user’s side is a step in the right direction! Unique IP per vote is not ideal though (as you know)